bootstrap: Make Eafe work in webview.

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 <include src="saml_handler.js">
 
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
@@ skipping 58 matching lines @@
     'gaiaPath',      // Gaia path to use without a leading slash.
     'hl',            // Language code for the user interface.
     'email',         // Pre-fill the email field in Gaia UI.
     'service',       // Name of Gaia service.
     'continueUrl',   // Continue url to use.
     'frameUrl',      // Initial frame URL to use. If empty defaults to
                      // gaiaUrl.
     'constrained',   // Whether the extension is loaded in a constrained
                      // window.
     'clientId',      // Chrome client id.
+    'useEafe',       // Whether to use EAFE.
     'needPassword',  // Whether the host is interested in getting a password.
                      // If this set to |false|, |confirmPasswordCallback| is
                      // not called before dispatching |authCopleted|.
                      // Default is |true|.
     'flow',          // One of 'default', 'enterprise', or 'theftprotection'.
     'enterpriseDomain',    // Domain in which hosting device is (or should be)
                            // enrolled.
     'emailDomain',         // Value used to prefill domain for email.
     'deviceId',            // User device ID (sync Id).
     'sessionIsEphemeral',  // User session would be ephemeral.
@@ skipping 22 matching lines @@
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
     this.oauth_code_ = null;
     this.deviceId_ = null;
     this.sessionIsEphemeral_ = null;
     this.onBeforeSetHeadersSet_ = false;
 
+    this.useEafe_ = false;
+    this.clientId_ = null;
+
     this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
     this.confirmPasswordCallback = null;
     this.noPasswordCallback = null;
     this.insecureContentBlockedCallback = null;
     this.samlApiUsedCallback = null;
     this.missingGaiaInfoCallback = null;
     this.needPassword = true;
     this.samlHandler_.addEventListener(
         'insecureContentBlocked',
         this.onInsecureContentBlocked_.bind(this));
@@ skipping 55 matching lines @@
    */
   Authenticator.prototype.load = function(authMode, data) {
     this.clearCredentials_();
     this.idpOrigin_ = data.gaiaUrl || IDP_ORIGIN;
     this.continueUrl_ = data.continueUrl || CONTINUE_URL;
     this.continueUrlWithoutParams_ =
         this.continueUrl_.substring(0, this.continueUrl_.indexOf('?')) ||
         this.continueUrl_;
     this.isConstrainedWindow_ = data.constrained == '1';
     this.isNewGaiaFlowChromeOS = data.isNewGaiaFlowChromeOS;
+    this.useEafe_ = data.useEafe || false;
+    this.clientId_ = data.clientId;
 
     this.initialFrameUrl_ = this.constructInitialFrameUrl_(data);
     this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_;
     // Don't block insecure content for desktop flow because it lands on
     // http. Otherwise, block insecure content as long as gaia is https.
     this.samlHandler_.blockInsecureContent = authMode != AuthMode.DESKTOP &&
         this.idpOrigin_.indexOf('https://') == 0;
     this.needPassword = !('needPassword' in data) || data.needPassword;
 
     if (this.isNewGaiaFlowChromeOS) {
@@ skipping 219 matching lines @@
    */
   Authenticator.prototype.onMessageFromWebview_ = function(e) {
     if (!this.isWebviewEvent_(e))
       return;
 
     // The event origin does not have a trailing slash.
     if (e.origin != this.idpOrigin_.substring(0, this.idpOrigin_.length - 1)) {
       return;
     }
 
+    // EAFE passes back auth code via message.
+    if (this.useEafe_ &&
+        typeof e.data == 'object' &&
+        e.data.hasOwnProperty('authorizationCode')) {
+      assert(!this.oauth_code_);
+      this.oauth_code_ = e.data.authorizationCode;
+      this.dispatchEvent(
+          new CustomEvent('authCompleted',
+                          {
+                            detail: {
+                              authCodeOnly: true,
+                              authCode: this.oauth_code_
+                            }
+                          }));
+      return;
+    }
+
     // Gaia messages must be an object with 'method' property.
     if (typeof e.data != 'object' || !e.data.hasOwnProperty('method')) {
       return;
     }
 
     var msg = e.data;
     if (msg.method == 'attemptLogin') {
       this.email_ = msg.email;
       this.password_ = msg.password;
       this.chooseWhatToSync_ = msg.chooseWhatToSync;
@@ skipping 178 matching lines @@
    * Invoked when the webview finishes loading a page.
    * @private
    */
   Authenticator.prototype.onLoadStop_ = function(e) {
     if (!this.loaded_) {
       this.loaded_ = true;
       this.dispatchEvent(new Event('ready'));
       // Focus webview after dispatching event when webview is already visible.
       this.webview_.focus();
     }
+
+    // Sends client id to EAFE on every loadstop after a small timeout. This is
+    // needed because EAFE sits behind SSO and initialize asynchrounouly
+    // and we don't know for sure when it is loaded and ready to listen
+    // for message. The postMessage is guarded by EAFE's origin.
+    if (this.useEafe_) {
+      window.setTimeout((function() {

[Nikita (slow), 2015/04/23 21:14:02]

nit: I suppose you can drop window here.

[xiyuan, 2015/04/23 21:30:48]

Both styles (w/ or w/o window) are used in chromium js code. Personally I prefer
to use more specific names. And I already slipped one window.setTimeout in this
file. :)

+        var msg = {
+          'clientId': this.clientId_
+        };
+        this.webview_.contentWindow.postMessage(msg, this.idpOrigin_);
+      }).bind(this), 500);

[Nikita (slow), 2015/04/23 21:14:01]

nit: extract constant.
Are you sure that 500 ms is sufficient timeout for this task?

[xiyuan, 2015/04/23 21:30:48]

Constact extracted and added comment.

500ms is an arbitrary number which should be more than enough. Before webview, I
was relying on a message posted up by their UI but that is no longer possible in
webview since we have to postMessage in first.

EAFE is just for prototyping and would be merged into new Gaia. Until then, we
probably can get rid of this message and use just the handshake since clientId
is passed to Gaia via URL param.

+    }
   };
 
   /**
    * Invoked when the webview navigates withing the current document.
    * @private
    */
   Authenticator.prototype.onLoadCommit_ = function(e) {
     if (this.oauth_code_) {
       this.skipForNow_ = true;
       this.maybeCompleteAuth_();
@@ skipping 28 matching lines @@
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator,
     Authenticator: Authenticator
   };
 });